Vectra Labs has a blog post on how easy it is to attack U-Boot-based D-Link webcams, using simple tools like BusPirate, FlashROM, and BinView. I wonder if the U-Boot in question was using U-Boot Verified Boot or not? At a higher level, this blog seems to be a good example of how insecure the current generation of IoT devices are, and how much (or little) you should rely on such devices.
[…] Conclusion
So does all this mean that D-Link’s web camera has a major security issue? Not necessarily – we get what we pay for, and asking a vendor who sells a webcam on Amazon for $30 to provide safe firmware update features which would require a TPM or a specialized chip to verify the content and signature of a software update is not very realistic. Rather the point of this demonstration is to highlight the real impact that IoT devices pose to the attack surface of a network. As we’ve shown, the barriers to hacking these devices are relatively low, and even the most basic devices can provide the plumbing for a persistent command-and-control channel. While these devices are low-value in terms of hard costs, they still matter to the security of the network, and teams need to keep an eye on them to reveal any signs of malicious behavior.
*Vectra disclosed the issue to D-LInk in early December 2015. As of January 7, 2016, the company has not provided a fix.
Full post:
http://blog.vectranetworks.com/blog/turning-a-webcam-into-a-backdoor
https://www.grahamcluley.com/2016/01/easy-convert-cheap-webcam-network-backdoor/
http://www.techworm.net/2016/01/heres-how-a-cheap-webcam-can-be-converted-into-network-backdoor.html
Firmware Security 